Published in News

Equifax used Custers' defence for data breach

by on12 September 2017

Blame the Apache

The mainstream press has been claiming that open source software is to blame for the Equifax data breach but it is starting to look like it might not know what it is talking about.

The blame for the record-breaking cybersecurity breach that affects at least 143 million people falls on the open-source server framework, Apache Struts, according to equity research firm Baird. The firm's source, per one report, is believed to be Equifax.

Apache Struts is a popular open source software programming Model-View-Controller (MVC) framework for Java. However, it is not a vendor software program and it is unproven that Struts was the source of the hole the hackers drove through.

Several headlines, which have now been retracted, are based on a single quote by a non-technical analyst from an Equifax source.

Open sources have taken to the web to hit out at Equifax saying that its own data breach detector is useless and untrustworthy. Adding insult to injury, the credit agency's advice and support site looks, at first glance, to be a bogus, phishing-type site: "".

Something which is confirmed by the first thing it asks you is the last six figures of your social security number and last name.

So why has Struts been indentified as the cause of the breach? Two days before the Equifax breach was reported a new and significant Struts zero day security problem was announced.

However Equifax admitted hackers had broken in between mid-May through July, long before the most recent Struts flaw was revealed.

This probably means that if the problem was indeed with Struts -- it was with a separate but equally serious security problem in Struts which was first patched in March.

ZDNET pointed out that the question then becomes: is it the fault of Struts developers or Equifax's developers, system admins, and their management?
"The people who ran the code with a known 'total compromise of system integrity' should get the blame", reports ZDNet.

Last modified on 12 September 2017
Rate this item
(0 votes)

Read more about: